Secure on-prem integration with cloud-native analytics.
TestedCloud is a hands-on hybrid cloud architecture lab that connects an on-prem Docker environment running on an Intel NUC with Google Cloud services including Pub/Sub, Cloud Run, BigQuery, private VPC networking, IAM hardening, Cloudflare Access, and Cloud Monitoring alerts.
The operational lab UI is protected with Cloudflare Access and requires authorization.
Architecture overview
The lab demonstrates an event-driven hybrid pattern: selected events originate on-prem, move through Pub/Sub, are processed by Cloud Run, and land in BigQuery for analytics and dashboarding.
UI / API
testedcloud-events
consumer
hybrid_events
Looker Studio
Alerts
On-prem layer
Ubuntu Server on Intel NUC using Docker Compose with FastAPI, static frontend, and NGINX reverse proxy.
Cloud processing
Pub/Sub push delivery to Cloud Run with authenticated invocation and BigQuery inserts.
Analytics layer
BigQuery tables and views support latency metrics, event inspection, and dashboarding.
Security and IAM hardening
TestedCloud was hardened beyond the prototype stage by separating service identities, removing broad default permissions, and protecting external access.
Implemented controls
- Cloud Run migrated to a dedicated runtime service account.
- Default Compute Engine service account broad roles removed.
- Pub/Sub invokes Cloud Run using OIDC authentication.
- Private VM has no external IP and uses IAP SSH.
- Cloudflare Access protects
ui.testedcloud.com. - Direct public port forwarding bypass was removed.
Secret hygiene
- Local
docker-compose.ymlis excluded from Git. - Frontend local
config.jsis excluded from Git. - Sanitized examples are committed for reproducibility.
- Notification channel IDs are redacted in policy definitions.
- Billing account details are sanitized in evidence files.
Monitoring and operational visibility
The lab includes real Cloud Monitoring alert policies for the most important operational failure modes.
Cloud Run 5xx errors
Detects server-side failures in the Cloud Run event consumer.
Pub/Sub backlog
Detects delayed or stuck messages in the main consumer subscription.
DLQ messages
Detects failed messages routed to the dead-letter queue after retry exhaustion.
Evidence-based validation
The project includes sanitized evidence files and versioned documentation to prove the architecture was implemented and validated.
Validated pipeline
Events from the web UI and on-prem NUC were processed through Pub/Sub, Cloud Run, and BigQuery.
Failure handling
A malformed payload was used to validate retry behavior and dead-letter queue routing.
Private networking
Private VM, custom VPC, Private Google Access, and IAP firewall rule are documented with evidence.
Roadmap
TestedCloud is designed as an expanding portfolio platform, starting with the Core Platform and growing into mobile, industrial telemetry, hybrid routing, and AI analytics.
Hybrid event ingestion, IAM hardening, Cloudflare Access, BigQuery analytics, evidence, monitoring alerts, and runbooks.
Public landing page at
testedcloud.com while keeping the operational lab protected at ui.testedcloud.com.
Android/Firebase messaging app demonstrating Firebase Auth, Firestore, Cloud Run, Pub/Sub, BigQuery, and product analytics.
SINEC NMS, Ruggedcom/SCALANCE, SNMP, syslog, network events, and OT-to-cloud analytics.
Hybrid routing lab, advanced analytics, BigQuery ML or Vertex AI experiments, and edge-to-cloud operational insights.
Positioning
TestedCloud demonstrates the ability to build, secure, validate, monitor, document, and explain a realistic hybrid cloud architecture from end to end.
It connects industrial infrastructure experience with modern Google Cloud architecture patterns: event ingestion, serverless processing, IAM, private networking, secure access, analytics, monitoring, cost awareness, and operational troubleshooting.